Vulnerability Description
In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vembu | Bdr Suite | < 4.2.0.1 |
| Vembu | Offsite Dr | < 4.2.0.1 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://csirt.divd.nl/2021/05/11/Vembu-zero-days/Third Party Advisory
- https://csirt.divd.nl/cases/DIVD-2020-00011/Third Party Advisory
- https://csirt.divd.nl/cves/CVE-2021-26472/Third Party Advisory
- https://www.wbsec.nl/vembuBroken LinkThird Party Advisory
- https://csirt.divd.nl/2021/05/11/Vembu-zero-days/Third Party Advisory
- https://csirt.divd.nl/cases/DIVD-2020-00011/Third Party Advisory
- https://csirt.divd.nl/cves/CVE-2021-26472/Third Party Advisory
- https://www.wbsec.nl/vembuBroken LinkThird Party Advisory
FAQ
What is CVE-2021-26472?
CVE-2021-26472 is a vulnerability with a CVSS score of 10.0 (CRITICAL). In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can...
How severe is CVE-2021-26472?
CVE-2021-26472 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-26472?
Check the references section above for vendor advisories and patch information. Affected products include: Vembu Bdr Suite, Vembu Offsite Dr, Microsoft Windows.